Misconfiguration in Change-password Functionality Leads to Account Takeover

Misconfiguration in Change-password Functionality Leads to Account Takeover

Hello everyone,

  • Does the Server validate it ?
  • What will happen if we remove it ?
  • What if we change our email with anyone email does it change their password?
  • So we went to the login page and put the victim email and the credentials that we created for him (test@1234) and guess what we accessed the victim account successfully😎.

Steps To Reproduce in main report :

  1. Login to attacker account AKA here (test1)
    Email = attacker@mail.com
    pass = attackerpass@1234
  2. Login to victim account AKA here (test2)
    Email = victim@mail.com
    pass = victimpass@1234
  3. Go to change password function in the attacker window.
  4. Intercept the request and send the request to Repeter.
  5. Remove (current password parameter and Xauthcredentials header) from the request.
  6. Change the attacker email to the victim email in the request body.
  7. Enter the new password you want AKA => (newpass@1234)
  8. Now I will log out from the victim account and try to log in with the new password.
  9. Now you get full account takeover of the victim .

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store